You can protect programs using SAF program validation. When a program is loaded or executed, a SAF Resource class PROGRAM validation call is issued.
This turns into a RACROUTE REQUEST=FASTAUTH, CLASS=PROGRAM call. CA ACF2 does not process REQUEST=FASTAUTH,CLASS=PROGRAM calls be default. You can create a SAFDEF record to validate this SAF call and then resource rules can be written to validate the use of the program.
- Create a generic rule for type(PGM) to allow access to all programs ie.
- Create specific rules for the program(s) to be protected ie.
You can use masking to allow multiple program access via one rule, e.g.,
This will be used for all programs that begin with ?PGM'.
- Make the resource directory for type PGM resident via the GSO INFODIR record:
CHANGE INFODIR TYPES(R-RPGM) ADD
(note: the directory must be GLOBALly resident and not DEMAND or TRANSIENT)
- Insert a GSO SAFDEF record to override the internal PROGMCHK SAFDEF record:
INSERT SAFDEF.PROGCHKX ID(PROGCHKX) MODE(GLOBAL) -
The internal SAFDEF record has been designed to IGNORE all program requests and so will need to be overridden.
PROGMCHK JOBNAME=******** USERID=******** PROGRAM=******** RB=********
RETCODE=4 SAFDEF=INTERNAL MODE=IGNORE SUBSYS=ACF2
- Create a GSO CLASMAP record to map the resource class PROGRAM to resource type PGM.
INSERT CLASMAP.PROGRAM RESOURCE(PROGRAM) RSRCTYPE(PGM)
(Note: Violations can be logged be specifying the LOG parameter on the CLASMAP record, e.g. INSERT CLASMAP.PROGRAM RESOURCE(PROGRAM) RSRCTYPE(PGM) LOG )
- Issue a Refresh console command to make the INFODIR record effective:
- Issue a Rebuild console command to load the resident rules for type PGM:
- Issue a Refresh console command to make the SAFDEF effective.
It is important to note that as soon as the SAFDEF is activated, ALL program validations will be activated and if validation fails, an S306-34 abend will occur.
FASTAUTH processing gets the required rule from storage and calls the resource rule interpreter. For this reason, the rules must be made globally resident via the GSO INFODIR record. If access is allowed, we will set an allow return code. If access is denied or no rule exists, we will check for unscoped security or non-cncl and if they are set, we will give an "allow but log" return code.
For FASTAUTH processing the following will not occur by default:
- No SMF records or ACF2 Violation messages or loggings.
(Note: it is possible to log violations by specifying LOG on the CLASMAP record e.g. INSERT CLASMAP.PROGRAM RESOURCE(PROGRAM) RSRCTYPE(PGM) LOG
This will override the LOG=NONE default specification on the RACROUTE REQUEST=FASTAUTH )
- No SVC exits are called.
The message that is returned when a program validation is denied is determined by the program that is issuing the RACROUTE FASTAUTH calls. ACF2 does not control whether the CSV026I or CSV025I message is returned.
Note: There are SAFDEF restrictions with FASTAUTH processing. When processing a SAF RACROUTE REQUEST=FASTAUTH request, CA ACF2 will recognize only the following fields of SAFDEF records in determining whether to process or ignore the request:
Other fields such as JOBNAME, PROGRAM, RB and RACROUTE(ENTITY=) will be ignored. In effect, FASTAUTH resource validation can be globally enabled or disabled, but cannot be enabled for one set of users or entities and disabled for others.